Machine Learning is Detecting The Phishing Problems

By Jyoti Nigania | Jan 9, 2019 | 1845 Views

Machine learning involves the automation of operations via intelligent mechanisms, which can adjust and adapt as needed. This reduces the need for human intervention provided the right series of controls are in place.

Anti-phishing solution
I spoke with email security organization Edgewave's President Steve Kelley about machine learning as it applies to the issue of email phishing, which represents a constant threat to organizations and users.

According to Kelley, EdgeWave engineered a multi-layered email security platform that provides pre- and post-delivery security and incident response. At the core of the platform is an automated, anti-phishing solution, which uses both machine learning and human review to quickly analyze and resolve any suspicious email. This approach dramatically reduces advanced, targeted attacks, while also significantly lowering the time and money spent by IT.
Get Insights with the following conversation:
Scott Matteson: How is machine learning used to secure email inboxes?

Steve Kelley: Machine learning is constantly leveraged by our EdgeWave Threat Detection Center. EdgeWave maintains a threat database containing data on all the elements that comprise an email. This database is constantly updated and used to review each element for every email. The combination of individual email element suspicion augmented with our human analyst intelligence drives the machine learning within the EdgeWave Threat Detection Center.

Part of our machine learning is also the intelligence gained from a human review. We know that machine learning can only go so far before, in some cases, a human must perform a more thorough analysis and review. But the intelligence learned from the human review is absolutely rolled back into the machine learning process in a never-ending cycle.

Scott Matteson: What signs does it look for, and how does it respond accordingly?

Steve Kelley: As the various elements of an email are very clearly defined (return-path, content-type, etc.) EdgeWave reviews each of these for every email against our threat database. In many cases, we see where individual elements can be suspicious, but when combined together they create a malicious email.

Scott Matteson: What is an example of a significant challenge in countering email phishing attacks?

Steve Kelley: The challenge for email is that it tends to be the starting point for cyber-attacks rather than the sole perpetrator. Consider, for example, situations where JavaScript is embedded in a PDF attachment, which is opened. JavaScript only kick-offs the exploit process. Determining if the JavaScript itself is malicious is challenging without directly running the script and evaluating the subsequent actions (sandboxing). The outcome of the JavaScript actions can be evaluated against our threat database to determine a level of suspicion.

EdgeWave has a taxonomy of over 40k rules based on the information and processes described above. Many of these are the result of machine learning (A+B+C = bad) plus detailed analysis by our threat detection analysts. This logic is then added back into our threat database so that our learnings do evolve with every analysis.

Scott Matteson: Is there a sort of scale from 0 to 10 as to how likely an email is a phishing attempt, whereby 0 is not at all likely and 10 is very likely?

Steve Kelley: All ThreatTest messages are presented to EdgeWave analysts with key indicators highlighted and color coded. This scoring is designed to give our analysts a quick visual indicator of the suspicion level as well as which elements were already checked. It also helps the analyst understand where they need to spend their time to most efficiently determine the correct classification for the email.

Scott Matteson: What is the end-user experience like with ThreatTest?

Steve Kelley: Our user experience is an extremely simple and completely closed loop. Users submit messages via an Outlook plug-in that works across desktop Outlook (Windows and Mac), the Outlook mobile app (iOS and Android), and Outlook Web Access. Once a message is submitted, it is moved from the user's inbox to the customer's ThreatTest quarantine where it waits for classification. At the same time, the end user receives an email notification informing them that the email was accepted and is being reviewed by an EdgeWave Threat Detection Analyst. Once the message is classified, the end user submitter is then notified of the classification and the appropriate action based on the customer administrator's configuration.

Scott Matteson: What are the results if an item is deemed a threat; how precisely does the software respond?

Steve Kelley: Ultimately, the decision on how to respond to a malicious email is up to the organization's administrator to define. The default action is to delete the message. End-user submitters are notified via email that the message was classified as malicious and what action was performed on the message. Again, the action is defined by the customer. With our Incident Response capability, we can also search the customer's mail store for the same message in other user's Inbox and delete all instances.

Scott Matteson: What are some subjective day-to-day examples of ThreatTest in action?

Steve Kelley: We've seen an increase in phishing messages that are very light on text and have no links or attachments. The entire message feels suspicious, but there is no content to activate any malicious activity. Further research by the EdgeWave Threat Detection Center discovered that these simple emails were quite literally the opening salvo. Replying to the email returns another basic email, this time asking the recipient to purchase gift cards. Again, there are no URLs or attachments to activate, just plain text. Two email exchanges and zero malicious or activatable content.

The next email asks the recipient to send the codes from each gift card via email since there is no time to mail the physical cards. Once again, no malicious content, but the hook is set. At this point, the victim can easily back out. But if they continue, the criminal now has hundreds of dollars' worth of gift card codes they can redeem anywhere. A very small version of business email compromise, but much more difficult to detect due to the use of very basic email with no malicious or activatable content.

Source: HOB